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Dear Chair 


I am writing to you in relation to a resolution of the Committee on Civil Liberties, Justice and Home 
Affairs, circulated in draft format last week. 


I understand the draft resolution in question has been tabled by way of follow-up to the Committee’s 
consideration of the Judgment of the Court of Justice of the European Union (CJEU) in proceedings 
titled Data Protection Commission v. Facebook Ireland Limited & Maximilian Schrems. As you 
know, that judgment was delivered on 16 July 2020 and is concerned with the application of European 
data protection rules to the transfer of European Union citizens’ personal data to the United States. 


I am aware, from media reports, that the Committee considered aspects of the Judgment in a public 
session held on Thursday, 3 September 2020, at which the Committee heard from three external 
parties, namely, European Commissioner for Justice, Didier Reynders, the Chair of the European Data 
Protection Board Chair, Andrea Jelinek, and data protection activist and founder of NOYB, Max 
Schrems. 


I am not aware of any subsequent debate conducted by the Committee in public session in relation to 
the matters considered on 3 September, although I expect the Committee will have considered matters 
further in private session. 


I very much welcome the Committee’s engagement with the Judgment and, indeed, its engagement 
with issues relating to the enforcement of the GDPR more generally. It is imperative that the EU’s 
elected representatives would lead the debate on these issues, not just because the European 
Parliament directed so much of the legislative process by which the GDPR itself was enacted, but also 
because it has long since been acknowledged that, if there is to be a resolution of ongoing problems 
relating to EU-US data transfers, such a resolution will require political engagement between the EU 
and the US and the agreement of a transfer scheme in which the protections afforded EU citizens by 
the GDPR and the Charter are respected — and given full effect — when their data is transferred to the 
US. 


An Coimisiún um Chosaint Sonraí, 21 Cearnóg Mhic Liam, Bhaile Atha Cliath 2. 
Data Protection Commission, 21 Fitzwilliam Square, Dublin 2. 
www.cosantasonrai.ie | www.dataprotection.ie | eolas@cosantasonrai.ie | info@dataprotection.ie Tel: +353 (0)76 1104800 


An Coimisiún um 
Chosaint Sonraí 
Data Protection 
Commission 


While, to date, I have not had the opportunity to address the Committee, either in private session, or at 
its public session of 3 September last, I would very much welcome an opportunity to engage with the 
Committee and to answer such questions as it may wish to direct to me in relation to the proceedings 
that gave rise to the CJEU’s Judgment of 16 July. I would equally welcome an opportunity to engage 
with the Committee in relation to the enforcement of the GDPR generally. If the Committee considers 
that it would be of assistance to it, in terms of ensuring that it hears from all relevant parties and 
considers all of the available perspectives, I would be happy to share the experiences of my office in 
relation to these matters. 


I acknowledge that it is of course a matter for the Committee to determine who it should hear from in 
any given context, and what conclusions, if any, may be drawn from the contributions it receives, 
whether those are provided by Committee members or by persons external to it. That cannot be 
gainsaid, given that Parliament is an important forum for political debate and decision-making within 
the EU’s legal order. As a matter of first principles, however, it is surely the case that, where 
Parliament or any of its Committees wishes to provide leadership in a particular area, and particularly 
where it proposes to adopt a resolution critical of an agency charged with responsibility for the 
implementation of a key pillar of EU law, it would wish to ensure that it has access to all relevant 
facts; that all positions presented to it have been tested; and that actions taken by the agency with 
which members of the Committee disagree have been interrogated and properly understood. Most 
fundamentally, it must surely be the case that the Committee would wish to ensure that it has afforded 
an opportunity to the agency concerned to be heard (whether in person or through correspondence) in 
relation to the criticisms levelled against it. 


Against this backdrop, the draft resolution circulated last week gives rise to significant concern. 


So far as the document engages with the Judgment of 16 July last, it does so in just two bullet points. 
While it is accepted that, by its very nature, any such resolution must necessarily seek to identify — 
and present, in short form - those points which the Committee considers to be of most importance, 
there is nonetheless a significant risk that, when complex issues, such as those presented by the CJEU 
in a Judgment containing 203 paragraphs (and running to some 63 pages) are reduced to bullet points, 
the true import — and context - of those issues may be lost. 


Given that the amount of information presented in the draft resolution is necessarily limited, and 
reflecting the impact such a statement will have in circumstances where it originates in a 
Parliamentary Committee noted for the leadership it provides in the area of data protection law 
generally, it is of particular importance that the information contained in the resolution is accurate and 
that basic tenets of fairness are observed in its presentation. 


Turning then to the two bullets incorporated in the statement in relation to the CJEU’s Judgment - and 
taking them in reverse sequence - the position is as follows: 


The issue of costs 
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Contrary to what has been suggested, the DPC did not apply to recover its costs of the judicial review 
proceedings from Mr Schrems. On the contrary, the DPC agreed with Mr Schrems - in 2016 - that it 
would not look to recover its costs from him irrespective of the outcome. When the issue of costs 
came back before the Irish Court in October 2020, the DPC applied to recover its costs from 
Facebook; it also asked the Court to direct that Facebook pay Mr Schrems’ costs, if it found that Mr 
Schrems was entitled to recover his costs notwithstanding his opposition to the making of the 
reference’. Consistent with the terms agreed with Mr Schrems in 2016, the DPC did not apply for its 
costs against Mr Schrems. 


Given that the account of the relevant events as set out in the draft resolution is both inaccurate and 
incomplete, it follows that the accompanying ‘strong condemnation’ of the DPC’s actions is neither 
sustainable nor appropriate and should be withdrawn. 


The import of the CJEU Judgment 


In the draft resolution, the Judgment has been reduced to a single proposition, to the effect that the 
legal proceedings that gave rise to it were unnecessary, i.e. it appears to be said that the DPC should 
not have sought a reference and the Irish High Court should not have made that reference; instead, the 
DPC could and should have exercised its powers under Article 58 of the GDPR to prohibit EU-US 
transfers between Facebook Ireland Limited and Facebook Inc. 


This proposition does not accurately reflect the Judgment; nor does it engage with the history and 
content of the underlying proceedings. 


So far as the Judgment itself is concerned, the draft resolution fails to engage with the core structural 
problems the subject of the reference, and the evidence and arguments presented by the parties — 
including Mr Schrems — in relation to each of those problems. In that regard, it is important to recall 
that the CJEU addressed a total of 11 questions. One of those questions was indeed concerned with 
the nature and extent of a data protection supervisory authority’s obligation to intervene in any case 
where it discerns that an individual transfer is being conducted in a manner inconsistent with EU data 
protection law. As a matter of basic logic, however, issues relating to such an intervention only arise 
if it is first established that, in principle, the laws of the third country to which the data is to be 
transferred do not provide a level of protection to EU citizens essentially equivalent to that applicable 
within the EU, and/or that the legal means by which the data is transferred is itself deficient. 


In the case before it, the CJEU was of course primarily concerned with the laws of the United States. 
Critically, the CJEU was concerned to establish, firstly, that, contrary to the position advanced by 
Facebook and a number of EU member states, steps taken by a US public authority to access an EU 


1 For completeness, it should be noted that Mr Schrems took a different position when the High Court’s decision 
to make the reference was appealed by Facebook to the Irish Supreme Court. There, Mr Schrems agreed with 
the DPC position that, in circumstances where a reference had been directed by the High Court, it was not open 
to an appellate court to interfere with the decision to refer, or to impose changes to the questions referred. That 
is to say, Mr Schrems now sought to give effect to the reference, to include each of the 11 questions posed by 
the High Court. 
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citizen’s data, post-transfer, for national security purposes, engage that citizen’s rights under EU data 
protection law. From there, the Court considered the grounds for transfers generally, noting that the 
same standard of protection must be applied to all transfers, irrespective of the means by which such 
transfers are effected. 


Separately, the Court set out the means by which the laws of the third country must be assessed, 
before going on to conclude, consistent with the DPC’s analysis, that the US does not in fact provide a 
level of protection to EU citizens in a manner consistent with the requirements of EU law and, in 
particular, the EU’s Charter of Fundamental Rights and Freedoms. 


It is only on the basis of these pre-cursor points that one can sensibly consider the consequences that 
flow from a finding that a given transfer to the US — or any third country - does not satisfy the 
requirements of EU data protection law. In that regard, and having first addressed the nature and 
extent of the obligations borne by the exporting party, the Court provided extensive clarification as to 
when, and how, data protection supervisory authorities are required to intervene. 


Against this backdrop, and even without looking beyond the content of the Judgment itself, it is clear 
that the characterisation of the Judgment as contained in the draft resolution is inaccurate and 
incomplete. 


A full and meaningful examination of the issues addressed by the CJEU requires that consideration be 
given to a whole range of factors not even hinted at in the draft resolution. By way of example — 


e While the draft resolution criticises the DPC for applying for a reference in the first place, it 
ignores directions given by the CJEU in its earlier Judgment of 6 October 2015 to the effect 
that, in any case where a national data protection supervisory authority forms the view that a 
legal instrument adopted at EU level may be inconsistent with the requirements of EU law, to 
include the Charter, it is bound to bring those concerns to the attention of the CJEU. 


e In such a case, the national supervisory authority may not proceed directly to the CJEU; 
rather, it is required to bring its concerns to the attention of a national court in the first 
instance. If the national court shares the supervisory authority’s concerns, the national court is 
in turn required to make a reference to the CJEU. (The CJEU is of course the only judicial 
entity with jurisdiction to invalidate a legal instrument adopted at EU level). 


e Inthe present case, the DPC was concerned that the protections available to EU citizens 
within the EU are not maintained when their data is transferred to the US. Importantly, it 
formed the view that structural deficiencies within the US legal system in this particular 
context could not be said to be cured by means of the “standard contractual clauses” 
developed by the EU Commission, leaving EU citizens’ exposed if/when their data is 
transferred to the US. 
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e Having formulated its concerns into a draft decision, the DPC brought its concerns to the Irish 
High Court, inviting Facebook and Mr Schrems to participate in a legal process intended to 
test whether or not the concerns identified by the DPC were well-founded. In the event, and 
following a lengthy hearing conducted over 6-weeks in which expert evidence was presented 
on behalf of each of the DPC, Facebook and Mr Schrems in relation to US law, the High 
Court concluded that the DPC’s concerns were indeed well-founded. 


e The High Court’s analysis was upheld on appeal to the Irish Supreme Court. 


e It is of note that, in deciding whether or not to make a reference, the High Court was 
specifically asked by Mr Schrems to treat the reference as being unnecessary on the grounds 
that the DPC could instead simply direct Facebook to cease transfers. Having considered the 
evidence and arguments presented by each of the parties, the High Court concluded that Mr 
Schrems’ proposed solution was not appropriate; rather, it proceeded to formulate a series of 
11 questions for consideration by the CJEU, targeting the key points of principle presented by 
transfers to the US. (Of course, it is not to be overlooked that, if the DPC had directed 
Facebook to discontinue EU-US transfers without first seeking to clarify the law, there is little 
question but that Facebook would have contested such direction by legal means, triggering a 
series of appeals in the national court but with no certainty that key points of principle would 
have been the subject of a reference to the CJEU). 


e As indicated above, the CJEU engaged with the issues referred to it on their merits. In so 
doing, it declined to rule that the reference was unnecessary or should not have been brought 
in the first place. Nor did it have any concern that the reference was inadmissible. Rather, it 
dealt in a fulsome manner with each of the points of principle arising from the reference 
questions, recognising that the proceedings provided an opportunity to clarify the law ina 
number of key respects. (Given the depth at which the CJEU engaged with the questions 
referred by the High Court, it is difficult to understand how it could now be suggested, as the 
draft resolution appears to suggest, that the “answer” to the problem was obvious all along, 
being an answer that did not require the input of the CJEU at all). 


e While it has been suggested that the DPC ultimately “lost” the case in circumstances where 
the validity of the EU Commission decision incorporating the standard contractual clauses 
was upheld, such an analysis overlooks those elements of the Judgment which specifically 
address transfers to the US and which underscore the challenges associated with reliance on 
the SCCs, whether in their published form, or with additional safeguards, to justify transfers 
to the US. 


Two points may also usefully be made here about the Court’s invalidation of the Privacy Shield 
Decision: 
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e Firstly, the CJEU”s analysis of the deficiencies inherent in the Privacy Shield Decision rested, 
in large part, on facts as established by the Irish High Court. 


e Secondly, in the course of the hearing before it, the Court observed that it was unclear 
whether, absent the invalidation of Privacy Shield, it would have been open to a national 
supervisory authority to prohibit transfers generally to the US, given that the Privacy Shield 
contained an adequacy finding (albeit qualified) in relation to the level of protection available 
in the US. 


Ultimately, therefore, it will be seen that the draft resolution gets nowhere near the essence of the 
Judgment; on the contrary, and leaving aside the extent to which it appears to reflect the perspectives 
of one party to the underlying proceedings, the resolution presents a skewed picture of what the case 
was about, and the importance attaching to the issues decided by the Court. As such, it is respectfully 
submitted that the publication of the resolution in its current form would serve only to deepen 
common misconceptions as to the import of the judgment. 


Enforcement of the law as it relates to transfers, before and after GDPR 


It appears to have been overlooked by the Committee, as, in fairness, it has been overlooked by 
others, that the DPC is in fact the only supervisory authority to engage with EU-US transfers in a 
meaningful way, or at all. In that regard, it is noteworthy that, long before the advent of the GDPR’s 
so-called “one-stop-shop” mechanism, Mr Schrems filed the same basic complaint in relation to 
Facebook’s EU-US transfers, not just with the Irish supervisory authority, but also with the Belgian 
supervisory authority and the regional supervisory authority in Hamburg. Neither of those other 
complaints has been advanced. 


Even since the CJEU delivered its judgment on 16 July 2020, it appears that no other supervisory 
authority has intervened in the manner mandated by the CJEU. Whilst it might be said that that is - at 
least in part - reflective of the number of so-called “big tech” companies having their main 
establishment in Ireland, that cannot be a full answer to the point, given the multiplicity of data 
brokers, platforms and other players in the digital economy that are established in member states right 
across the EU. 


In contrast, within a period of approximately 6 weeks after the CJEU’s Judgment was delivered in 
July, the DPC had commenced a regulatory procedure in respect of Facebook’s EU-US transfers, in 
which it specifically seeks to apply the CJEU’s analysis. The Committee will be aware that that 
procedure was met with a legal challenge by Facebook, fully contested by the DPC, in which 
judgment is presently awaited. (Separate proceedings were also brought by Mr Schrems, albeit on 
different grounds). As one consequence of the proceedings brought by both Facebook and Mr 
Schrems, the DPC’s regulatory process has been stayed by order of the Court until the Court has ruled 
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on the merits of the underlying proceedings. (It is notable that Mr Schrems recently withdrew his 
objections to the process on terms agreed between Mr Schrems and the DPC. As one part of the terms 
so agreed, Mr Schrems has elected to discontinue that part of his complaint referable to the period 
from 2013 to 24 May 2018). 


Enforcement generally 


The draft resolution contains two further bullet points directed to the discharge by the DPC of its 
regulatory enforcement obligations generally. Here again, there is an obvious disconnect between the 
conclusion reached (i.e. that the EU Commission should bring infringement procedures against 
Ireland for failing to properly enforce the GDPR) and the factual basis upon which that conclusion is 
said to rest. 


On its terms, the draft resolution appears to suggest that infringement proceedings are required 
because “several complaints against breaches of the GDPR filed on 25th May 2018, have not yet been 
decided by the Irish Data Protection Commissioner, which is the lead authority for these cases.” 


Quite apart from the fact that the complaints to which reference is made are not identified, the 
Committee has not engaged, at all, with the DPC in relation to such concerns as appear to be held by 
Committee members in relation to the DPC’s enforcement activity. That being so, it is difficult to 
understand how or on what basis the Committee could consider it appropriate to call for infringement 
proceedings at this juncture. 


Again, if and to the extent that the Committee wishes to obtain information relevant to the DPC’s 
enforcement record, or indeed to interrogate the DPC as regards its record or enforcement priorities, 
the DPC will be happy to assist, in such format or forum as the Committee considers useful. Pending 
such engagement, however, it neither advances the cause of data subjects, nor contributes to an 
effective regulatory enforcement regime, if positions are adopted by a Parliamentary Committee that 
are informed, not by objectively verifiable facts, but by the blanket adoption of third party 
commentary without critical (or any) analysis. 


Conclusion 


As indicated at the outset, I welcome the Committee’s engagement with the CJEU Judgment and 
issues relating to the enforcement of the GDPR generally. If the Committee considers it useful, I 
would be happy to engage with it with a view to advancing the Committee’s understanding of the 
issues through the provision of relevant information and a national regulator’s perspectives. I remain 
at the disposal of the Committee if it considers that such engagement would be helpful. 


Yours sincerely 
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Helen Dixon 


Commissioner for Data Protection (Ireland) 
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